Two Security Issues

mavis · New Member Joined: Feb 16, 2004 Posts: 12

We have found out that if you select all users posts, posts from two hidden forums (one moderators) can be seen by users. How can we prevent this?

The other issue is the scrolling newsblock - we want to remove our hidden forums from that too.

Please advise.

Raven · Posted: Mon Feb 16, 2004 4:28 pm

If by scrolling news you mean the recent posts block, that is a customized block, and any new forums that you add into there have to be manually added to the block code, just like your other one was. If you look on line 44 you will see where forum id 20 is being blocked. You would just need to expand that from

Code:

where forum_id != '20'

to

Code:

where forum_id NOT IN('20','??')

where you replace the ?? with the forum to block.

As to your other issue, can you be more specific? What do you mean by 'select all user posts'?

mavis · New Member Joined: Feb 16, 2004 Posts: 12

sorry we didn't set up the scroll block, you did so I'm afraid none of that made any sense to me. Embarassed

I'll get back to you on the other question, I was advised by a fellow mod about it.

mavis · New Member Joined: Feb 16, 2004 Posts: 12

Raven, say you are looking thru the forums and you click on a thread - if you click on a posters name, it takes you to an "all about so and so" profile type thing - in the profile it says "find all posts by" - if you click on that for any of the four of us mods - you can read all of our posts - even those that are supposed to be hidden from view in the "moderators forum"

chatserv · Posted: Mon Feb 16, 2004 7:30 pm

After having browsed through over 35 pages of posts i could not find any posts from forums for which i had no access and i was even logged in as Nuke admin (not forum admin)

Raven · Posted: Tue Feb 17, 2004 10:16 am

Mavis, have you actually logged in using a user's name that you know does not have access (like adding a user named mavistest) and seeing what you can and can't do? We can't reproduce the error here, but it might be a flaw with your version, although we have not heard of this before.

mavis · New Member Joined: Feb 16, 2004 Posts: 12

nope will try that now

on the first issue can you please elaborate and tell me where row 44 is and where to put the codes and how to find them etc. thanks

Raven · Posted: Tue Feb 17, 2004 11:17 am

in your blocks/block-block-ForumsScroll.php file.

mavis · New Member Joined: Feb 16, 2004 Posts: 12

and is that in administration or php or ftp or control panel - you do know you are dealing with retards here don't you! Wink

Raven · Posted: Tue Feb 17, 2004 11:26 am

You have to ftp the file down to your pc, modify it, and then ftp it back Smile

mavis · New Member Joined: Feb 16, 2004 Posts: 12

no posts from the unaccessible forums are visible on a test member. melanie was panicking unnecessarily!

Raven · Posted: Tue Feb 17, 2004 11:31 am

mavis · New Member Joined: Feb 16, 2004 Posts: 12

OK I got the file now what the hell do I do with it LOL its scaring me!!! Shocked

mavis · New Member Joined: Feb 16, 2004 Posts: 12

HELP!!!!!!!!

Raven · Posted: Wed Feb 18, 2004 4:09 pm

I explained that in my second post above Smile

mavis · New Member Joined: Feb 16, 2004 Posts: 12

no you said modify it, I have no idea how to modify it thats my point lol

Raven · Posted: Wed Feb 18, 2004 4:59 pm

You edit the file by using cPanel or ftp'ing to your pc, modify it, then ftp it back. In my post I explain exactly what line to modify and how to modify it. The method you use is up to you. Does that help?

mavis · New Member Joined: Feb 16, 2004 Posts: 12

right OK luckily Minx is not as retarded as me. BUT your info was slightly out. What it should read is forum_id NOT IN (20," ")

Raven · Posted: Wed Feb 18, 2004 5:05 pm

Ah yes. MySQL doesn't honor the ! as NOT with the IN clause. I will correct the post.

mavis · New Member Joined: Feb 16, 2004 Posts: 12

Raven wrote:

You edit the file by using cPanel or ftp'ing to your pc, modify it, then ftp it back. In my post I explain exactly what line to modify and how to modify it. The method you use is up to you. Does that help?

the modifying it was the difficult bit - line 44 meant nothing to me, luckily minx helped me find it

mavis · New Member Joined: Feb 16, 2004 Posts: 12

Raven wrote:

Ah yes. MySQL doesn't honor the ! as NOT with the IN clause. I will correct the post.

cool I did try yours first then minx told me what hers was and I copied that and it worked Laughing

addy · Hangin' Around Joined: Mar 28, 2005 Posts: 42

I'm going to bump this because I've been searching for literally hours and this is the ONLY post I've come accross with the issue I have.

I was informed that someone that is in no group can use the find all posts feature under anyone's profile to see into the restricted sections.

I upgraded to the current phpbb forum. I was 2.15 now I am 2.17. It did not fix this issue.

I do not see any similiar blocks like the one mentioned in this post. I believe it's 7.6 that I'm running after hearing about security risks on the newer versions of phpnuke. If I need to upgrade that I will happily do so.

The only mods I've added to the site is a roster - it's a gaming site and a user info block.

I might take down the forums tonight until I get this resolved. Any help would be awesome and I'll keep plugging along looking for more info about this issue.

Raven · Posted: Mon Oct 17, 2005 7:40 pm

Please post you block code so that we may better help you.

addy · Hangin' Around Joined: Mar 28, 2005 Posts: 42

Which block contents would you like me to post?

stoney · New Member Joined: Oct 10, 2005 Posts: 20

I think what he is trying to say is that if you look at a users profile and do find all posts (like I do with you and chatserv all the time lol) that you can see posts from restricted areas that the user would not normally be able to see.